Archive for April 2017

Google and Facebook Confess to Being Corporate Scam Victims

Two tech companies who were victims of a $100 million payment scam have been revealed to be Facebook and Google.

According to an investigation by Fortune, Lithuanian Evaldas Rimasauskas allegedly forged email addresses, invoices, and corporate stamps in order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business.

Over two years, he is allegef to have convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. By the time the firms figured out what was going on, Rimasauskas had coaxed out over $100 million in payments, which he promptly stashed in bank accounts across Eastern Europe.

Spokespeople for Google and Facebook this week confirmed that they were the victims in question. Facebook claimed that it “recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation”, while a Google spokesperson said: “We detected this fraud against our vendor management team and promptly alerted the authorities. We recouped the funds and we're pleased this matter is resolved.”

Mark James, IT security specialist at ESET, said: “It’s a fact in today’s digital world that there is always someone trying to scam you. We fight it, we delete it, we even highlight it and use it to teach others what to look out for, but there is one thing humans are good at and that’s adapting. Most spam or phishing attacks end up a failure, but that’s the nature of these types of attacks they don’t all have to succeed.

“For us to be safe we have to detect or block 100% of those attempts but they only need to get one right. If someone puts their mind to doing something there is a good chance they will succeed, whether that’s education, business or foul deeds. The good thing about the latter is most of the time people get caught. This particular plan involved forging email addresses, invoices, and corporate stamps in order to trick some big companies into believing they are dealing with the ‘right’ company and handing over thousands, it just goes to prove that all companies large and small can be scammed.”

Lee Munson, security researcher at Comparitech, said: “Phishing or, more appropriately in this case ‘CEO Fraud’, poses a huge problem to organizations of all sizes. While technical controls have a small part to play in reducing the likelihood of such an attack being successful, it is staff awareness training that is key here.

“While current disclosure laws may not require the victims in this case to come clean about what happened – from a financial point of view – I certainly believe there is a public interest angle. Investors in technology firms have a right to know that the business is managing its systems and people in an effective way that minimises risks that can have a significant impact – and CEO Fraud is relatively easy to identify and avoid – especially in this case, where the scam was allowed to continue unchecked over a two-year period.”

Bitcoin Value Rises to Over $1300

The cash value of a Bitcoin has risen to an all time high, with one Bitcoin now worth more than $1,300.

Citing the CoinDesk Bitcoin Price Index, which at the time of writing was worth $1,308, CNBC has said that Bitcoin has risen by 23% this month. The previous high was $1,325.81, reached on 10 March just before the SEC rejected a bitcoin exchange-traded fund application, which hit the cryptocurrency’s value.

Aaron Higbee, CTO and co-founder at PhishMe, told Infosecurity that there are multiple influences on Bitcoin’s price fluctuation. “The biggest moves can usually be tied to government regulations or policy changes like India’s aggressive change to get cash declared and in banks. Some fans of cryptocurrency only see long term viability if people start transacting it for normal goods or services. This shakes the stigma that it’s only used on the underground for illicit goods.“

Research conducted byInfosecurity determined that a common payout for a ransomware infection by an average person was around five bitcoins, which at current prices would come in at over $65,000.

Higbee said: “While it’s difficult to tie Bitcoin price swings to any one event, one thing for sure, Bitcoin transactions are on the rise due to the increasing victim count of those who’ve had their computers infected via phishing emails delivering ransomware. Cybercriminals are not price adjusting their ransomware phishing emails.

“Depending on the ransomware family and affiliate, the typical ransom request has been either .5 or 1 btc. This means that a year ago today, you would be paying $225-$450 to decrypt a single computer. Today you are paying $650-$1320.

“I’m sure this isn’t lost on the ransomware phishing cybercriminals. While malicious actors are celebrating the price increase, folks like the Gemini Capital Winklevoss twins are biting their nails since they need cryptocurrency to have legitimate uses if the SEC will ever overturn their ETF rejection. Cybercriminals getting rich on phishing isn’t helping their case.”

Nomx Researchers Defend Work, Dispute Unfair Test Claims

Will Donaldson, CEO and CTO of nomx, has continued to claim that his email security tool is secure, that tests by UK researchers were not fair and an up-to-date version is available for testing.

After UK researcher Scott Helme and Professor Alan Woodward from the University of Surrey released research about vulnerabilities in the nomx technology, Donaldson issued a statement to press which claimed that the devices which were powered by the Raspberry Pi “were primarily used for demonstration and media use.”

In Infosecurity’sstory published yesterday, it was alleged by Helme and Woodward that the nomx box failed on a number of security promises, and contained mostly outdated software.

Donaldson claimed that one of the early devices was provided to the BBC which was later provided to Helme. “Rooting was done, in his words, by taking the memory card from the Raspberry and inserting it into his PC, and then resetting the root password,” he said.

“This process allowed him to access the nomx from his local network. He then created a very specialized code that was unique to the management page of the nomx device he had in his possession. This code originated from a Cross Site Request Forgery, requires users to click a link or visit a hacked website, and that link then performs actions from the users’ browsers when it downloads the package from the internet.

“After he created the code, he loaded it to his own webpage to target the nomx device he had previously rooted and was in his possession and on his own network. He then simply modified the nomx data through a website link that he clicked himself. The act of the attack would require very detailed information about the local nomx device and a subsequent phishing link sent to the proposed victim, or visiting a third party compromised website, and the victim must have been logged in to their nomx device initially and then accept the phishing link or visit the compromised website.”

Donaldson claimed that because of this effort, “the threat was non-existent for our users, even if they were to have an earlier versions and code.” He accused Helme of not being fair or accurate in his findings, “because no nomx devices were actually compromised or could be compromised unless the users were to take those steps, which could not occur in a real-world situation outside of the lab.”

BBC technology reporter Dan Simmons confirmed on Twitter that the nomx boxes given to him and BBC Click “were offered as 'as sold' and not test units nor prototypes.”

Helme told Infosecurity that he would be happy to be involved in testing the boxes, and did not understand why they needed to be in the USA and could not be shipped to the UK.

Woodward said that Donaldson’s comments were “typical of the interactions we have had during this whole process” and he sought to “move the work into a scenario where nomx control how we can operate and control the ‘rules of the game’. We do not intend to do that as it is not a proper test of the device.”

Woodward further claimed that other researchers have found other ways to exploit the box, and “we would be delighted for nomx to ship us a new box today and we'd see if it solves the vulnerabilities we identified” as the Raspberry Pi version was still available on the nomx website.

Donaldson claimed that “when confronted with a real-world opportunity to prove their claims, they backed out” and “when given the opportunity to actually hack a nomx device that was not in their possession, or rooted, or on their own network, they didn't.” He also released Helme and Woodward’s email addresses in an email to press.

Woodward confirmed that he and Helme gave “no such permission for our emails to be sent out but if anyone has a problem with our work we would really like to hear from them, especially if they feel that they believe the nomx box provides the ‘absolute confidentiality’ claimed on their website.”

He also said that where Helme had ‘grudgingly accepted’ that the box cannot be compromised, Donaldson was “being most definitely economical” with the truth.

“Scott has had only the one verbal interaction I’m aware of and I’m sure I’ve seen the other emails, and in none of that did either of us claim that the box could be compromised in 10 minutes [nor] did we subsequently confirm his assertions about it not being possible to compromise his test box,”. he said.

Nearly Three-Quarters of UK Unis Are Phishing Victims

Some 70% of UK universities have fallen victim to phishing attacks, according to new data from Duo Security.

The vendor submitted Freedom of Information (FoI) requests to 70 universities late last year and received responses from 51.

Some 72% said they had fallen victim to a phishing email over the past 12 months.

Even more worryingly, 12 universities said they’d been hit by such attacks over 10 times in the period, and seven claimed they’d been struck more than 50 times.

These included unis running GCHQ-certified degree courses, such as Oxford, Duo Security claimed.

Action Fraud has alerted educational institutions in the past about the dangers of phishing.

In May last year it warned of a new campaign in which students received an email purporting to come from their finance department, telling them they’d been awarded a grant and asking for their bank account details.

Then in February this year another Action Fraud missive alerted university staff to more than 100 reports of victims receiving bogus pay rise emails.

The phishers this time claimed to be emailing from the university HR department, in a bid to collect staff financial details by claiming they were in for a pay rise.

“The findings reveal that universities – staff and students – make popular targets for these attacks, which leaves them vulnerable to all kinds of security risks,” argued Duo Security EMEA vice president, Henry Seddon.

“They open the doors to hackers, with stolen credentials, to access an organization’s system virtually undetected, posing as an authorised user. Worryingly, phishing is now the most popular way of delivering ransomware onto an organization’s network.”

Universities are of course not alone in being targeted by phishing attacks.

The 2017 Verizon Data Breach Investigations Reportout this week revealed phishing is now present in a fifth (21%) of attacks, up from just 8% the previous year.

As Seddon explained, phishing isn’t just targeted at victims’ financial details; it can be an easy way for cybercriminals or state-sponsored hackers to get hold of valuable log-ins.

Some 81% of hacking-related breaches succeed through stolen, weak or easy-to-guess passwords, according to Verizon.

Credential phishing of webmail accounts was revealed by Trend Micro this week as one of the main ways infamous Russia-linked APT group Pawn Storm infiltrates victim organizations.

However, victim devices are primarily located in Iran (20%), Brazil (9%), Vietnam (8%) and Russia (8%).

As reported previously, Hajime spreads like Mirai via unsecured devices that have open Telnet ports and use default passwords, and uses the same log-in combinations as Mirai plus two more.

However, it’s more resilient – based on a P2P architecture – and is modular, meaning new capabilities could be added over time. It also has no DDoS functionality at the moment, and is only focused on propagation.

Kaspersky Lab analysis found that Hajime’s attack module supports three different attack methods; the newest being TR-064 exploitation.

However, the researchers are still bemused as to the end goal of the campaign.

Some have speculated that it could be a white hat trying to lock down endpoints before the likes of Mirai get hold of them.

That’s because it blocks access to several ports which host services that can be exploited by malware including Mirai.

Plus, infected devices display a cryptographically signed message from the author: “Just a white hat, securing some systems.”

“The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, its objective remains unknown. We have not seen its traces in any type of attack or additional malicious activity,” said Konstantin Zykov, senior security researcher, Kaspersky Lab.

“Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force, and to update their firmware if possible.”

FalseGuide Malware Racks Up 2 Million Installs on Google Play

The FalseGuide malware has infested several apps in the Google Play store, providing yet more evidence against the conventional wisdom that sticking to the official app store is safe.

According to Check Point researchers, the trojanized apps were uploaded to the app store as early as November 2016, meaning they hid successfully for five months, accumulating an alarming 2 million infected users.

“The malware… was hidden in more than 40 guide apps for games,” said researchers in an analysis. “Check Point notified Google about the malware, and it was swiftly removed from the app store. At the beginning of April, two new malicious apps were uploaded to Google Play containing this malware, and Check Point notified Google once again.”

FalseGuide creates a silent botnet out of the infected devices for adware purposes, and it requests an unusual permission on installation—device admin permission—in order to avoid being deleted by the user.

“The malware then registers itself to a Firebase Cloud Messaging topic which has the same name as the app,” researchers noted. “Once subscribed to the topic, FalseGuide can receive messages containing links to additional modules and download them to the infected device….the botnet is used to display illegitimate pop-up ads out of context, using a background service that starts running once the device is booted. Depending on the attackers’ objectives, these modules can contain highly malicious code intended to root the device, conduct a DDoS attack, or even penetrate private networks.”

Mobile botnets are a growing trend since early last year, growing in both sophistication and reach.

“This type of malware manages to infiltrate Google Play due to the non-malicious nature of the first component, which only downloads the actual harmful code,” Users shouldn’t rely on the app stores for their protection, and implement additional security measures on their mobile device, just as they use similar solutions on their PCs.

US Federal Government Overwhelmingly Vulnerable to Breaches

When it comes to data breaches, 34% of US federal government respondents have experienced one in the last year, according to new survey data.

According to the 2017 Thales Data Threat Report, Federal Edition, issued in conjunction with analyst firm 451 Research, 65% of governmental organizations have experienced a data breach at some point. Almost all (96%) consider themselves ‘vulnerable’, with half (48%) stating they are ‘very’ or ‘extremely’ vulnerable.

About 53% of federal respondents cite lack of budget and lack of staff (also 53%) as the top reasons for data insecurity. That’s translating into action: About 61% of US federal respondents also said they’re increasing security spending this year—up from last year’s 58% figure.

But when compared to other industries this number is markedly lower (81% of healthcare respondents, 77% of retail respondents and 78% of financial services respondents claim to have increased spending).

“The US federal government is racing to boost data security against odds not generally faced in the private sector today,” said Garrett Bekker, principal analyst for Information Security at 451 Research. “A major challenge in securing the far-flung systems in the US federal government is the plethora of aging legacy systems still in place, with one example being a 53-year-old Strategic Automated Command and Control System at the Department of Defense that coordinates US nuclear forces and uses 8-inch floppy disks. In short, this ‘perfect storm’ of very old systems, tight budgets and being a prime cybercrime target has created a stressful environment.”

Pressures to use advanced technologies (cloud, Big Data, internet of things (IoT) and containers) are only making the problem worse. While 92% of federal respondents will use sensitive data in an advanced technology environment this year, 71% of federal respondents believe this will occur without proper security in place.

On a positive note, encryption is cited as the top data security control (60%) for ensuring data privacy and enabling digital transformation through the use of advanced technologies. Additionally, 73% of respondents would increase their cloud service deployments if offered data encryption in the cloud (with federal agencies maintaining control of the keys). Sixty-three percent of respondents also list data encryption as the first choice for enabling further IoT deployments, and 55% cite encryption as the top security control for increasing container adoption.

“US federal agencies are fighting an uphill data security battle. In addition to the issues cited, the federal sector has one of the most hopeful views of compliance, with 64% of respondents viewing it as ‘very’ or ‘extremely’ effective in preventing data breaches,” Peter Galvin, VP of strategy, Thales e-Security. “As the breach count rises, it’s fair to question whether meeting compliance mandates are enough. There is encouraging news, however. Like their private sector peers, public sector IT employees are clearly interested in digital transformation through the use of new technologies. This innovation is admirable, but it must be paired with increased data security.”

Shadow Brokers Attack Tools Light Up Chinese and Russian Darknet

Russian and Chinese “cyber-communities” have been actively researching and sharing information on the recent Shadow Brokers leak of alleged NSA attack tools, suggesting cyber-criminals and state hackers could be looking to capitalize on unpatched systems around the world, according to new data.

It features codenames such as EternalBlue; EmeraldThread and EternalChampion, referring to exploits developed mainly to target Microsoft systems.

Although Redmond claimed in a speedy response that none of the tools work against supported products, there’s still danger for organizations running either unsupported systems like XP or those who aren’t up-to-date with their patches.

That danger was highlighted by intelligence from Recorded Future this week which revealed a lot of chatter in Russian and Chinese forums about the data dump.

“Chinese-speaking actors additionally focused on the unique malware trigger point and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses”, it added.

Given that Chinese APT groups have historically been able to weaponize zero day threats just days after their public release, there’s an increased risk that “malicious Chinese actors may reuse or repurpose this malware”, the firm said.

Meanwhile, in Russia, Recorded Future spotted a noted cyber-criminal providing detailed tutorials on how to weaponize EternalBlue, along with the DoublePulsar kernel payload.

Others apparently recommended EternalBlue to a hacker looking for help on exploiting a vulnerable Server Message Block version 1 (SMBv1) system.

The “cyber community” in this instance could refer to cyber-criminals and state-sponsored hackers, as well as professional researchers and curious amateurs, a Recorded Future spokesperson confirmed to Infosecurity Magazine.

Symantec Offers Collaborative Proposal to End Google Spat

Symantec has put forward a series of proposals designed to resolve a long-running dispute with Google over trust in its certificate business, claiming the latter’s plans could have a significant negative impact on major customers.

These included a motion to: reduce the accepted validity period of newly issued Symantec-issued certificates to nine months or less, require the re-validation and replacement of all currently-trusted Symantec-issued certificates and temporarily remove EV status for all Symantec-issued certs, for at least a year.

However, in a lengthy response yesterday, Symantec claimed that after consulting its customers, it believes such steps could have a major “compatibility and interoperability impact”, particularly on financial services, critical infrastructure, retail and healthcare firms.

It argued that many such firms have “complex, and potentially undocumented and little-known dependencies on their certificate infrastructure”, for example, embedded devices, mobile apps and critical infrastructure resources that are pinned to Symantec certs.

These dependencies could mean any migration off Symantec could take years, the security giant argued, before proposing a new solution.

This includes commissioning a backward-looking third-party audit of all active EV certificates, rather than have Google remove its EV status.

It also proposed commissioning a third-party audit of all certificates issued by an SSL/TLS Registration Authority (RA) partner.

In a bid to improve transparency, Symantec also proposed: a WebTrust audit for the period from December 1 2016 to May 31 2017, followed by quarterly audits thereafter, a quarterly update letter to the community on the progress of audits, working with the CA/B forum to recommend new/updated guidelines for customer exception requests to baseline requests and a bid to improve the timeliness of responses to the browser community and level of technical detail in them.

That’s not all. Symantec also claimed it would move to shorter validity certificates to reduce exposure, increase security and risk investments in its CA business and make other operational improvements.

"Because this is a big picture issue that impacts the entire ecosystem, we believe a collaborative process based on understanding the needs of all parties is required in order to work towards the shared goal of making the internet a safer place,” said Roxane Divol, general manager of Symantec Website Security.

“As such, our proposal outlines important measures that Symantec intends to implement as part of our continuous improvement efforts to provide increased transparency into our CA operations and enhance our processes. As we work to implement these measures, we remain committed to ensuring business continuity for our CA customers and complying with the requirements of the browser community, so that we can reach a solution that is in the best interests of all stakeholders.”

It remains to be seen whether this range of measures will be enough to placate Google. After all, the history of bad blood between the two goes back several years, when a series of mis-steps forced several Symantec bods from their jobs in 2015.

Symantec’s move was welcomed by Kevin Bocek, vice president of security strategy & threat intelligence at Venafi, who claimed the market would become increasingly volatile as security issues and vulnerabilities in the certificates system come to light.

“This is a critical time for business: the system of trust that provides identities for machines is becoming increasingly complex and businesses are unprepared to respond to change in an agile way. This should act as a wake-up call to all businesses that rely on encryption to protect their machine identities, as it isn’t something that is going away,” he told Infosecurity Magazine.

“Symantec’s shift to shorter lifetime certificates and use of threat intelligence should be applauded. However, the identity of machines and use of encryption is so important that it can’t be left to CAs alone, businesses must take action, responsibility, and gain agility. CAs have a responsibility to improve their processes but they are far from alone in carrying this burden.”

Cyber-Spies Go Mainstream, Blamed for One in Five Breaches

Cyber-espionage appears to have hit the mainstream, dominated by state-sponsored operatives and taking the slot as most popular attack method in the public sector, education and manufacturing industries, according to Verizon.

The firm’s much anticipated 2017 Data Breach Investigations Report revealed that one in five (21%) breaches were related to espionage: that’s a total of 289 over the report period, more than 90% of which were state-backed.

The fruits of these efforts have been widely reported in recent months, most notably the Kremlin’s attempts to influence the outcome of the US presidential election by hacking and then leaking sensitive Democratic Party officials’ emails.

This week, Trend Micro claimed that a group allied to Russia’s interests – known as APT28, Pawn Storm and Fancy Bear – had also registered phishing emails to target the campaign of French presidential hopeful Emmanuel Macron.

“The proportion of attacks motivated by the state is still on the rise, and these hackers are becoming more aggressive each year,” Verizon managing principal of investigative response, Laurance Dine, told Infosecurity Magazine.

“The report reveals that state-affiliated actors were responsible for a quarter of its recorded phishing attacks, almost three times as many compared to the 2016 DBIR, where they were responsible for just 9% of phishing attacks.”

Phishing has become a hugely successful tactic overall, present in a fifth (21%) of attacks, up from just 8% last year.

Linked to that stat is another that organizations should take note of: 81% of hacking-related breaches succeed through stolen, weak or easy-to-guess passwords.

It’s clear that staff training on how to spot phishing, combined with a move away from password-based authentication to multi-factor systems, should be encouraged.

Overall, the volume of breaches and stolen records has risen sharply in recent years. Just four million records were lost in 2011, whereas this year’s report covered 1945 breaches including 20 where over a million records were lost.

Dine recommended layered security as a key strategy to mitigate the risks posed by an increasingly agile and determined enemy.

“With a lot of espionage attacks, hackers want to have access for as long as possible without being detected. They get into the network, do some foot-printing and scanning, see what they can get, and can stay under the radar by piggybacking off normal activity. This means hackers can just get one code to the backdoor and they get the keys to the kingdom,” he explained.

“Our advice would be to only give people privileges to certain parts of the network that they actually need to do their job. It is also important to have network monitoring to identify any unusual activity, so that if a hacker has gained access then they can be detected. Monitor outbound traffic to see if anyone is making connections that they have no logical reason to be making – if people are doing things they have nothing to do with their jobs it should raise an alarm. It all goes back to the idea of assuming you have been breached and looking for intruders to give themselves away. Layered security is the only way to do this.”